Kaspersky Lab: connected cars are now a reality, but are they secure?

Kaspersky Lab and IAB, Spain’s leading marketing and digital media company, announce the launch of the First Annual Connected Cars Study, a pioneering piece of research.

The main objective of this study is to provide an overview of the connected car market, combining all available information to answer some burning questions and bring some unity to the highly fragmented software ecosystem currently offered by manufacturers. Vicente Diaz, Principal Security Researcher at Kaspersky Lab, was responsible for developing a proof of concept to analyze the safety implications of connecting these cars to the Internet.

Motorists can no longer ignore safety concerns about the communications and Internet services included in the new generation of “connected cars”. This is much more than just helping to park your car safely; it now encompasses access to social networks, email, smartphone connectivity, route calculation, in-car apps, etc. These technologies offer great advantages to drivers, but they also bring new risks to today’s users. That’s why it is essential to analyze the different vectors that could result in cyber-attacks, accidents or even fraudulent maintenance of the vehicle.

Privacy, updates and smartphone apps for these cars could be turned into three separate attack vectors for cybercriminals. “Connected cars can open the door to threats that have long existed in the PC and smartphone world. For example, the owners of connected cars could find their passwords are stolen. This would identify the location of the vehicle, and enable the doors to be unlocked remotely. Privacy issues are crucial and today’s motorists need to be aware of new risks that simply never existed before,” said Diaz.

Kaspersky Lab’s proof of concept, based on analyzing BMW’s ConnectedDrive system found several potential attack vectors:

Stolen Credentials: Stealing the credentials needed to access BMW’s website – using familiar means like phishing, keyloggers or social engineering – could result in unauthorized third-party access to user information and then to the vehicle itself. From here it is possible to install a mobile app with the same credentials and potentially enable remote services before opening up the car and driving it away.

Mobile Application: If you activate the mobile remote opening services, you effectively create a new set of keys for your car. If the application is not secured, anyone who steals the phone could gain access to the vehicle. With a stolen phone it would be possible to change database applications and bypass any PIN authentication, making it easy for a cyber-attacker to activate remote services.

Updates: Bluetooth drivers are updated by downloading a file from the BMW website and installing it from a USB. This file is not encrypted or signed, and is found with a lot of information about the internal systems running on the vehicle. This could give a potential attacker access to the targeted environment, and could also be modified to run malicious code.

Communications: Some functions communicate with the SIM inside the vehicle using SMS. Breaking into this communication channel makes it possible to send ‘fake’ instructions, depending on the operator’s level of encryption. In a worst-case scenario, a criminal could replace BMW’s communications with his/her own instructions and services.

The study also looks into online connectivity and the leading apps in the Spanish automobile industry, as well as exploring business models and future trends in connectivity platforms on the market. The report analyzes 21 different models of vehicle, and its main findings are:

• OS, connection modes and apps are highly fragmented.

• Free services are time limited: many manufacturers offer a free subscription for a certain time only.

• Coverage problems: many online services need 3G connectivity

• Data use: some users would have to pay for additional data.

• Voice assistants: most models use it as it is one of the safest ways to control connectivity.